Kaspersky Discovers a New Backdoor Targeting Governments and NGOs across the Middle East, Turkey and Africa – African Business

Kaspersky (https://www.Kaspersky.co.za/) experts have brought to light a poorly detected SessionManager backdoor that was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft. Once propagated, SessionManager enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure. The backdoor was discovered in March 2021 and has been used by governmental institutions as well as NGOs around the world. There have been eight victims across the Middle East and Africa region (Kuwait, Saudi Arabia, Nigeria and Kenya).

In December 2021, Kaspersky uncovered “Owowa” (https://bit.ly/3OGqMe4), a previously unknown IIS module that steals credentials entered by a user when logging into Outlook Web Access (OWA). Since then, the company’s experts have kept an eye on the new opportunity for cybercriminal activity – it has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the “ProxyLogon-type” (https://bit.ly/3yFKeC1) vulnerabilities within Microsoft Exchange servers. Kaspersky experts discovered a new module backdoor called SessionManager during a recent investigation.

The SessionManager Backdoor allows threat actors to maintain persistent, update-resistant, and rather stealthy access to the IT infrastructure at a targeted organisation. Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure.

SessionManager’s low detection rate is a distinctive feature. Kaspersky researchers discovered some backdoor samples in the early 2022. They were not flagged as malicious by most popular online file scanners. According to Kaspersky researchers’ Internet scan, SessionManager can still be found in more than 90% percent of targeted organizations.

SessionManager compromised 34 servers belonging to 24 organisations in Europe, South Asia, South Asia, and Africa. SessionManager’s attacker shows a keen interest in NGOs and government agencies, but also medical organisations, oil companies and transportation companies.

Because of a similar victimology and the use of the common “OwlProxy” (https://bit.ly/3OGnLKH) variant, Kaspersky experts believe that the malicious IIS module might have been leveraged by the GELSEMIUM (https://bit.ly/3Ap46dJ) threat actor, as part of its espionage operations.

“The exploitation of exchange server vulnerabilities has been a favourite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It was able to enable a series long unnoticed cyberespionage campaign. SessionManager, a recently discovered vulnerability, was not detected for over a year. Most cybersecurity actors were busy responding to the first offences and investigating server-side vulnerabilities. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time,” comments Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.

“Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” adds Pierre.

Kaspersky products detect several malicious IIS modules, including SessionManager.

To learn more about SessionManager’s operation style and targets, visit Securelist.com (https://bit.ly/3bBycAr).

Kaspersky experts recommend that you also:

• Regularly inspect loaded IIS modules that are on IIS server (not just Exchange servers) and use existing tools from IIS Servers Suite to check. You should check for such modules in your threat hunting activities whenever a major vulnerability is reported on Microsoft server products.
• Your defense strategy should focus on detecting lateral movements as well as data exfiltration to the Internet. Cybercriminals are attracted to outgoing traffic. Regularly back up data. You should be able to quickly access it in an emergency.
• Use solutions like Kaspersky Endpoint Detection and Response (https://bit.ly/3nzQViE) and the Kaspersky Managed Detection and Response (https://bit.ly/3bQAhIM) service, which help to identify and stop the attack in the early stages, before the attackers achieve their goals.
• Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business (KESB) (https://bit.ly/3uoRkYZ), that is powered by exploit prevention, behaviour detection and a remediation engine that is able to roll back malicious actions. KESB also provides self-defense mechanisms that can stop cybercriminals from removing it.

Distributed by APO Group in support of Kaspersky

For more information, please call:
Nicole Allman | INK&Co. (www.InkAndCo.co.za)
Cell: +27 83 251 2769
[email protected]

Social Media
Facebook: https://bit.ly/3wZnMS7
Twitter: https://bit.ly/3M0M4kl
YouTube: https://bit.ly/3Mdr1vb
Instagram: https://bit.ly/3t40I3N
Blog: https://bit.ly/3N1bIXz

Kaspersky:
Kaspersky, a global cybersecurity and privacy company, was founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Kaspersky technology protects over 400 million users. We also help 240,000 corporate clients to protect what is most important. Find out more at www.Kaspersky.co.za.